On Wednesday 30 March 2005 14:18, Scot L. Harris wrote: > On Wed, 2005-03-30 at 04:55, Tony Molloy wrote: > > Hi All, > > > > I run tripwire each night on all my servers to check for file > > changes. This morning I noticed something strange. On this server > > tripwire was installed on 26th Nov last. > > > > [root@keano ~]# rpm -qa --last | grep tripwire > > tripwire-2.3.1-18.fdr.3.1 Fri Nov 26 13:31:50 > > 2004 > > > > Now for some reason when it was run last night the following changes > > had occured to the tripwire executable. Changes to the Inode Number, > > the block count, the CRC32 and MD5 checksums. > > > > > > Modified object name: /usr/sbin/tripwire > > > > Now a similar change occured on all 20 of my servers last night so I > > don't think it was a compromise. At least I hope not. > > > > Any ideas. > > Most likely prelink ran and modified the binaries. First time I had > tripwire reported like this I was in a mild panic thinking the worse. > But it turned out to be prelink doing its thing via the cron job. > > -- Scott, Thank's I hadn't thought of that. As you said I was in a mild panic first but then said a hacker couldn't have got at all the servers which are on different vlans. Funny that it never happened before though. Tony -- Tony Molloy. Dept. of Comp. Sci. University of Limerick
